So I’m trying to catch up to 1999. I have never in my life “hosted a webex” and I’m being asked to. Surprisingly, their Java app worked nicely on my OS X box. I had always assumed that Lily Tomlin and Co. weren’t interested in us “alternative” OS users. Kudos to them!

But as I was checking everything out - I had to laugh a little when I saw the following in their Security .pdf designed to reassure me that everything was going to be cool for my Webex presentation (emphasis mine):

Ernst & Young LLP also performs an annual SAS 70 Type II audit and provides WebEx with a corresponding report….The SAS-70 Type II audit … report allows WebEx to demonstrate that it has adequate controls and safeguards when it handles and processes data belonging to its customers. SAS-70 is the authoritative guidance that allows WebEx to disclose its control activities and processes in a uniform reporting format.

The SAS-70 Type II audit and corresponding report certify that an independent auditor (Ernst & Young) examines, on an ongoing basis, the controls and safeguards WebEx has put in place around the data confidentiality and security of its customers data. This SAS-70 Type II report is available for review by customer security and audit teams under NDA.

Now mad props to Webex allowing folks to see their SAS-70 under NDA.  A shout out to them for spending the stupid money to have this done. But do any of you readers who have SAS-70 experience consider it to be “the authoritative guidance”? From my experience and understanding, there are reasons not to trust a SAS-70 as a definitive statement about anything.

Complicate the above with the fact that Webex links you to this site for more information on SAS-70. That site might be authoritative, but, forgive me for saying so, it seems a bit amateurish. A great site for you and I the professional who may not care, and really good information, but not something I’d want to show my boss the CISO as proof that Webex is a risk-free proposition.

The Webex .pdf combines this SAS-70 information with a paragraph and link to “WebTrust” certification.   You know, WebTrust - “the only consumer or business privacy seal administered by a third-party.”  Well, I’d never heard of WebTrust before (or if I had, it just didn’t register with me) so I followed the link in the .pdf. What did I find?  My confidence isn’t exactly overflowing.  This might be a fat finger error, as Webtrust.org seems a bit more credible as it’s a site sponsored by the AICPA, but I had to dig around to find that out.

Understand, I think this is a real low risk proposition.  Checking out security is just something I do - and apparently I’m not alone as “Security” is among the top 5 popular searches if you check out their search page.   Let me also add that my experience is that E&Y does a great job (in fact, dropping their name up does more for me than the 3rd party stuff).

It’s just that when I see statements like this, I get the same feeling that I get when I see those Scan Alert “hackersafe” badges for PCI compliance. The “Crap. These guys really aren’t secure, they’re just doing the easiest thing they can to make the uninformed believe that they’re secure” feeling.

But maybe I just have a low risk tolerance.

Posted on April 2